[db] Fix an injection issue in update

There's still plenty of potential for problems with this. Stuff like this is why #194 needs to happen. Related to #645.
sopel-irc · Oct 27, 2014 · d24db3c · d24db3c
1 parent f7d407d
commit d24db3c
Showing 1 changed file with 10 additions and 10 deletions.
diff --git a/willie/db.py b/willie/db.py
@@ -595,19 +595,19 @@ def update(self, row, values, key=None):
         cur = db.cursor()
         where = self._make_where_statement(key, row)
         cur.execute('SELECT * FROM ' + self.name + ' WHERE ' + where, rowl)
+        subs = list(values.iterkeys()) + list(values.itervalues())
         if not cur.fetchone():
-            vals = "'" + row + "'"
-            for k in values:
-                key = key + ', ' + k
-                vals = vals + ", '" + values[k] + "'"
-            command = ('INSERT INTO ' + self.name + ' (' + key + ') VALUES (' +
+            values[key] = row
+            vals = ', '.join(('%s',) * len(values))
+            keys = ', '.join(values.iterkeys())
+            subs = list(values.itervalues())
+            command = ('INSERT INTO ' + self.name + ' (' + keys + ') VALUES (' +
                        vals + ');')
         else:
-            command = 'UPDATE ' + self.name + ' SET '
-            for k in values:
-                command = command + k + "='" + values[k] + "', "
-            command = command[:-2] + ' WHERE ' + key + " = '" + row + "';"
-        cur.execute(command)
+            k_equals_v = ', '.join('%s = %s' * len(values))
+            command = 'UPDATE ' + self.name + ' SET ' + k_equals_v + ' WHERE ' + key + " = '" + row + "';"
+        command = command.replace('%s', self.db.substitution)
+        cur.execute(command, subs)
         db.commit()
         db.close()